Absent Member.
Absent Member.
304 views

Expecting number of Incidents/Alerts from 20,000 EPS?


Hi All,

I have a question here:

Assume ArcSight has been deployed for a banking infrastructure and 20,000 EPS are generated. Out of 20,000 EPS, how many alerts/ incidents can be expected ?

I know that we have dependancies such as, what we need to monitor and considering the number of devices like firewall, ids/ips, switch, router and application, internal and database logs, then criticality of the network, based on rules and host based rules and correlation based rules.

But, can we derive for an approximate count on the number of alerts possible to get triggred ? Or Do we have any sort of formula to get the information ?

Please share your thoughts.

0 Likes
7 Replies
Absent Member.
Absent Member.

I would wonder if someone can answer this question

0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

Hello,

the answer is quite easy, it depends on your use cases (content) and the devices you have conected, that said the answer isn't easy anymore.

If everything is clean you don't get any incident out of your data feed however if you have strikt use cases and requirements you may get a lot.

Volker

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Ideally as mentioned above it really depends on what devices are integrated and what use cases are deployed.

Specially in a banking environment; policies and procedures are well defined and appropriate Access controls, SOD's are in place.

Generally it should be 10 - 20 alerts should be triggering which will also not be real security incident; it would be corporate IT policy violation, operations, data usage or other types of alerts which are also mandate requirement for different compliance standards.

I hope this helps.

Anwar

0 Likes
Absent Member.
Absent Member.

Thanks for the replies guys.

Thought if there would be some sort of formula or template for this

Once again thanks...

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Well, There is some formula which vendors like HP and IBM claim about. but that isn't reality.

In reality it depends how you handle the system and how well the policies are defined and enforced.

Thanks.

0 Likes
Absent Member.
Absent Member.

Such formula is complete BS. Disable all rules and you will get zero alerts. Create a rule with a "true" condition and you will get 20,000 alerts per second. Actually you will get just few dozen of alerts initially and the rule will be disabled automatically, but you got an idea

0 Likes
Ensign
Ensign

Hi Kartheepan, I suggest you to consider that at the beginning of the implementation you will have many many alerts that you will have to tune until you have low false positives.  Also consider if the number of alerts can be actually handled real time by the resources available in your SOC.


Not two customer are the same.  In some customers we have the same rules processing almost the same EPS from same devices but the number of generated incidents by the rules is completely different.

Regards


Mario

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.